Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Agent.NAH is a file infector.
Installation
When executed, the virus creates the following folder:
  • %system_drive%\Documents and Settings\All Users\Application
    Data\Microsoft\MsDirect\
The following files are dropped in the same folder:
  • msdirect.dll (77 824 B)
  • msdirect.exe (172 544 B)
  • mskernel.sys (6272 B)
The following file is dropped into the %windir% folder:
  • _setup.exe
The following files are dropped into the current folder:
  • flower.jpg (112624 B)
The virus opens the file using the default image viewer.

The virus registers itself as a system service using the following name:
  • COM+

The virus loads and injects the msdirect.dll library into the following processes:
  • %windir%\explorer.exe
  • firefox.exe
  • iexplore.exe
  • myie.exe
  • netscape.exe
  • opera.exe
Executable files infection
The virus searches for executables with one of the following extensions:
  • .exe
Files are infected by adding a new section that contains the virus . The host file is modified in a way that causes the virus to be executed prior to running the original code. Size of the code inserted is 240 KB .
Information stealing
The virus is able to log keystrokes. The data is saved in the following file:
  • msoffice.log
The virus can send the information to a remote machine. The SMTP protocol is used.
Other information
The virus creates the following files:
  • app log.log